I'm looking to redeploy a server for a PHP application that handles medical data, and since I'm in the EU, it needs to comply with GDPR regulations. Currently, it's running on Debian, but I've realized it's not up to par with compliance standards and needs an upgrade. I'm considering a few options: AlmaLinux (with support), Ubuntu LTS (with PRO), RHEL, and of course, Debian Stable.
I'm searching for the best distro for this specific use case, knowing that the distro choice is just the starting point for GDPR compliance. I'm open to using either an EL or a Debian-based distribution.
From my research, it seems that the EL distros have a better reputation for security, stability, and management of critical data, largely due to SELinux's benefits for enforcing security. While I've had experience with both SELinux and AppArmor, I find SELinux to be more effective, though a bit more complex. Also, considering geopolitical risks, I think Ubuntu LTS might be a wise option since it's widely used and is based in the EU.
I'm not looking to containerize with Podman or Docker just yet, so any advice from seasoned admins would really be appreciated!
4 Answers
Honestly, the distro doesn't matter as much as how you configure it. Any Linux distro can meet GDPR compliance if you set it up right and follow the necessary guidelines. Focus on the security measures and configurations more than just the distro itself.
I'm curious, what exactly makes Debian an issue regarding GDPR compliance? It's often seen as a solid choice for servers, so I'm wondering what the drawbacks are.
If I had the chance, I'd go with RHEL because of its support and the web UI features, even though it's pricier. Both Rocky and Alma are solid choices too, but the RHEL experience is pretty polished if you can afford it.
Are you talking about the Cockpit web UI? I've heard great things about it.
Have you considered SUSE? We've been running our HR systems on SLES and it's heavily scrutinized from a GDPR standpoint. It's stable and well-maintained for compliance needs.
Thanks for your insight! I agree that configuration is key, but certain distros do have built-in features or certifications that can aid compliance. Like AlmaLinux and Ubuntu PRO, which come with some compliance tools.